Google Uncovers How Just Visiting Some Sites Were Secretly Hacking iPhones For Years

Beware Apple users!

Your iPhone can be hacked just by visiting an innocent-looking website, confirms a terrifying report Google researchers released earlier today.

The story goes back to a widespread iPhone hacking campaign that cybersecurity researchers from Google’s Project Zero discovered earlier this year in the wild, involving at least five unique iPhone exploit chains capable of remotely jailbreaking an iPhone and implanting spyware on it.

Those iOS exploit chains were found exploiting a total of 14 separate vulnerabilities in Apple’s iOS mobile operating system—of which 7 flaws resided in Safari web browser, 5 in the iOS kernel and 2 separate sandbox escape issues—targeting devices with almost every version in that time-frame from iOS 10 through to the latest version of iOS 12.

According to a deep-dive blog post published by Project Zero researcher Ian Beer, only two of the 14 security vulnerabilities were zero-days, CVE-2019-7287 and CVE-2019-7286, and unpatched at the time of discovery—and surprisingly, the campaign remained undetected for at least two years.

Though the technical details and background story of both then-zero-day vulnerabilities were not available at that time, The Hacker News warned about both the flaws in February after Apple released iOS version 12.1.4 to address them.

“We reported these issues to Apple with a 7-day deadline on 1 Feb 2019, which resulted in the out-of-band release of iOS 12.1.4 on 7 Feb 2019. We also shared the complete details with Apple, which were disclosed publicly on 7 Feb 2019,” Beer says.

Now, as Google researcher explained, the attack was being carried out through a small collection of hacked websites with thousands of visitors per week, targeting every iOS user landing on those websites without discrimination.

“Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant,” Beer says.

Once an iPhone user visited one of the hacked websites through the vulnerable Safari web browser, it triggered WebKit exploits for each exploit chain in an attempt to gain an initial foothold onto the user’s iOS device and stage the privilege escalation exploits to further gain root access to the device, which is the highest level of access.

The iPhone exploits were used to deploy an implant primarily designed to steal files like iMessages, photos, and live GPS location data of users, and upload them to an external server every 60 seconds.

“There is no visual indicator on the device that the implant is running. There’s no way for a user on iOS to view a process listing, so the implant binary makes no attempt to hide its execution from the system,” Beers explains.

The spyware implant also stole the database files from the victim’s device used by popular end-to-end encryption apps like Whatsapp, Telegram, and iMessage to store data, including private chats in the plaintext.

In addition, the implant also had access to users’ device’s keychain data containing credentials, authentication tokens, and certificates used on and by the device.

“The keychain also contains the long-lived tokens used by services such as Google’s iOS Single-Sign-On to enable Google apps to access the user’s account. These will be uploaded to the attackers and can then be used to maintain access to the user’s Google account, even once the implant is no longer running,” Beers says.

While the implant would be automatically wiped off from an infected iPhone upon rebooting thereby leaving no trace of itself, visiting the hacked site again would reinstall the implant.Alternatively, as Beer explains, the attackers may “nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device.”

Takeaway: Since Apple already patched the majority of vulnerabilities exploited by the uncovered iPhone exploits, users are always recommended to keep their devices up-to-date to avoid becoming victims of such attack chains.